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Abstract — Compensating CSP (cCSP) is a language defined to 
model long running business transactions within the framework 
of standard CSP process algebra. In earlier work, we have 
defined both traces and operational semantics of the language. 
We have shown the consistency between the two semantic models 
by defining a relationship between them. Synchronization was 
missing from the earlier semantic definitions which is an 
important feature for any process algebra. In this paper, we 
address this issue by extending the syntax and semantics to 
support synchronization and define a relationship between 
the semantic models. Moreover, we improve the scalability of 
our proof technique by mechanically verifying the semantic 
relationship using theorem prover PVS. We show how to embed 
process algebra terms and semantics into PVS and to use these 
I embeddings to prove the semantic relationship. 

Keywords: Compensating CSP, synchronization, semantics, theo- 
rem proving, PVS. 

I. Introduction 

Business transactions involve multiple partners coordinat- 
■ ing and interacting with each other. These transactions have 
hierarchies of activities that need to be orchestrated. Business 
transactions also need to deal with faults that can arise at 
.any stage of the transactions. Compensation mechanisms [1] 
' are very important for handling faults for transactions that 
.require a long period of time (also called Long Running 
' Transaction, LRT). Process calculi are models or languages 
.for concurrent and distributed interactive systems. Based on 
the framework of Hoare's CSP process algebra |2|, Butler et 
. al IS] introduced compensating CSP, a language to model long 
"running transactions. The language introduces a method to 
declare a transaction as a process and it has constructs for 
' orchestration of compensations. 

A formal semantics offers a complete, rigorous definition 
of a language and provides a foundation for mathematical 
proofs about programs. We have defined both traces (]3] 
and operational semantics [4] of the language. Having two 
semantic models of a language, it is natural to verify the 
consistency between them and check how they are related. 
We have defined a relationship between the semantic models 
in ip I by following a systematic approach. 

Synchronization is an important and well understood feature 
for concurrent and distributed processes. However, synchro- 
nization was not included in our work. In this paper, we 
extend the cCSP semantic models to define the semantics for 
synchronous processes, where processes synchronize over a 



set of synchronizing events, and non-synchronizing processes 
interleave with each other We also show that the same 
relationship that was defined for asynchronous processes also 
hold for synchronous processes. We take our work one step 
further by mechanical verifying the relationship by using the 
theorem prover PVS [6|. Mechanical verification overcomes 
the problem in hand proofs, also identifies potential flaws in 
the semantic definitions. 

The rest of the paper is organized as follows. A brief 
overview of cCSP language is given in § We then describe 
how the language terms are extended to define synchronization 
of processes in § |III] We also give an example of a web 
service specified by using cCSP and using the extended feature 
of synchronization. In the following two sections, we define 
how the trace and the operational semantics are extended 
to synchronization. § |Vl] defines a relationship between the 
semantic models and sketches the proof steps. We describe 
the PVS embedding of cCSP syntax and semantics in § IVIII 
These embeddings are then used to establish the relationship 
between the synchronous semantic models. We outline some 
complimentary work in the following section. Finally, we draw 
our conclusions in § |IXl 

II. Compensating CSP 

Processes in cCSP are modelled in terms of the atomic 
events they can engage in. The language provides operators 
that support sequencing, choice, parallel composition of pro- 
cesses. In order to support failed transaction, compensation 
operators are introduced. The processes are categorized into 
standard, and compensable processes. Compensation is part 
of a compensable process that is used to compensate a failed 
transaction. We use notations, such as, P. Q,.. to identify 
standard processes, and PP,QQ,.. to identify compensable 
processes. The asynchronous subset of cCSP syntax is sum- 
marized in Fig. [1] 

The basic unit of the standard processes is an atomic event 
(A). The other operators are the sequential (P ; Q), and the 
parallel composition {P \\ Q), the choice operator {P □ Q), 
the interrupt handler {P t> Q), the empty process SKIP, raising 
an interrupt THROW, and yielding to an interrupt YIELD. A 
process that is ready to terminate is also willing to yield to an 
interrupt. In a parallel composition, throwing an interrupt by 
one process synchronizes with yielding in another process. The 
basic way of constructing a compensable process is through 



standard Processes: 



Compensable Processes: 



■ F ^ Q {compensation pair) 

\PP IQQ 
\PP a QQ 

PP II QQ 

SKIPP 

THROWW 

YIELDD 



— A {atomic event) PP, QQ ::- 

\ P Q {sequential composition) 

\ P a Q (choice) 

I P II Q {parallel composition) 

I SKIP {normal termination) 

I THROW (throw an interrupt) 

I YIELD (yield to an interrupt) 

\ P > Q (interrupt handler) 

I [PP] (transaction block) 

Fig. 1. cCSP syntax 



a compensation pair (P ^ Q), which is constructed from two 
standard processes, where P is called the forward behaviour 
that executes during normal execution, and Q is the associated 
compensation that is designed to compensate the effect of 
P when needed. The sequential composition of compensable 
processes is defined in such a way that the compensations of 
the completed tasks will be accumulated in reverse to the order 
of their original composition, whereas compensations from 
the compensable parallel processes will be placed in parallel. 
By enclosing a compensable process PP inside a transaction 
block [PP], we get a complete transaction and the transaction 
block itself is a standard process. Successful completion of 
PP represents successful completion of the block. But, when 
the forward behaviour of PP throws an interrupt, the compen- 
sations are executed inside the block, and the interrupt is not 
observable from outside of the block. SKIPP, THROWW, and 
YIELDD are the compensable counterpart of the corresponding 
standard processes and they are defined by pairing an empty 
compensation with them, e.g., SKIPP SKIP ^ SKIP. 

III. Extending cCSP with Synchronization 

We define a parallel operator synchronizing over observ- 
able event^ extending our earlier definition, where processes 
interleave over observable events and synchronize only over 
terminal event^. We assume a set of events X over which 
processes will synchronize. The process {P \\^ Q) represents 
the parallel composition of processes P and Q, synchronizing 
over the set of events X. Operationally, P and Q interact by 
synchronizing over the events from X, while events not in 
X can occur independently. An event where both processes 
synchronize becomes a single event in {P \\^ Q), by a 
synchronizing operator which will be defined later. In the 
following example a business transaction is modelled by cCSP 
constructs added with synchronization; 
Example: (Car Broker Web Services) We model a car 
broker web service Broker which provides online support to 
customers to negotiate car purchases and arranges loans for 
these. The architectural view of the web service is given in 

Fig.m 

In cCSP, a process is described in terms of its interactions 
with its environment or with other processes by using atomic 
actions. The communications are defined via channels as in 
standard CSP. A communication is an event described by the 
pair c.v, where c is the channel name and v is the value of 

'We use normal and observable interchangeably; normal event: a G S 
^Cause termination of a process term, a terminal event G f! = {/, !, ? } 



Buyer 



Order 










Quote 









Ack 









Broker 



Req 



RFQ 



Quote 



Order 



Supplier 



Reply 



LoanStar 



Fig. 2. Architectural view of Car Broker web Services 



the message. Input/output are defined using same construct as 
in CSP. Concurrent processes communicate via channels. We 
also use I/O parameters for compensation pair: 

A7x~B.x ■ P{x) = ; P(x) 

The first step of the transaction is a compensation pair, 
where the primary action is to receive an order from the buyer 
and the compensation is to cancel the order M is used to 
represent the finite set of car models ranged over by m. 

Broker = 

[Orderlm : M ~ CancelOrder.m) ; ProcessOrder(m) 



ProcessOrder(m) = RFQ.rn ; Quotelq :¥ Q ] 

□ egg • I (Sendorder(c) || Loan(a)) || SendQuote(c^ 



SendOrder(c) = {Order .c ^ SKIP) 

Loan(a) = {ReqLoan.a : Amt ^ CancelLoan.a) ; 
{Reply? Accept ; SKIPP 
a Reply? Reject ; THROWW) 

SendQuote(c) = Quote. c ; {AcklAccept ; SKIPP 

□ Ack? Reject ; THROWW) 

The Broker requests the Supplier for available quotes 
(RFQ) and then selects a quote from the received quotes 
{Quote). The Broker arranges a loan for the quoted car by 
requesting a loan from LoanStar. The loan amount (Amt) of 
loan to be requested is decided from the selected quote and 
passed to the process Loan. It requests loan from LoanStar 
which is either accepted or rejected. If the loan cannot be 
provided then an interrupt is thrown to cancel the actions that 
have already taken place. A compensation is added to ReqLoan 
(CancelLoan) so that in the case of failure in a later stage the 
compensation can be invoked to cancel the event, the quote 
is also sent to the buyer (SendQuote). An interrupt can be 
raised either by the Buyer by rejecting the quote or by the 
LoanStar by rejecting the requested loan. In either case, the 
Supplier will terminate yielding an interrupt thrown by the 
Broker and compensations from both Broker and Supplier 
will run in parallel. 

The behaviour of the car broker web service is defined by 
combining the behaviour of Broker, Buyer, Supplier, and 
LoanStar, where the processes synchronize over the sets A,Z? 



and C. 

System S Buyer ||^ [Broker ||g Supplier] 
\\(, LoanStar 

A = {Order, Quote, Ack}, B = {RFQ, Quote, Order} 
C — {ReqLoan, Reply} 

The example illustrates the synchronization of processes 
within a transaction block, [Broker ||^ Supplier] and be- 
tween transaction blocks (Buyer and LoanStar are transaction 
blocks). It also outlines how compensations are handled in 
each case. 

IV. Extended Trace Semantics 

A trace records the behaviour of a process up to some 
moment in time. The traces of composite processes are defined 
in terms of their constituent processes. Processes are assumed 
to have an alphabet of actions S which does not include the 
terminal events il = {/, !, ? }. Terminal symbols indicate the 
way how a process terminates. Standard processes are defined 
as non-empty set of traces of the form s{oj) where i G S* and 
w S ri. For traces s and t, we write s.t as their concatenation. 
Operators are first defined on traces and then lifted to set of 
traces to define processes. The traces of a standard process P 
is denoted as T{P). Compensable processes consist of a set of 
pair of traces of the form {p{uj),p' {oj')), where p{uj) represents 
the forward behaviour and p'{uj') represents the compensation. 
T{PP) denotes the trace of a compensable process PP. 

Parallel processes synchronize over synchronizing events 
and interleave over other events. When processes fail to syn- 
chronize, the execution blocks and we get a partial behaviour 
from the composition. To denote partial behaviour, we assume 
a special terminal symbol _L G il which indicates partial trace. 
Partial traces are analogous to trace prefixes in standard CSP 
With the definition of partial behaviour, traces from standard 
processes satisfy the following properties: 

- (^) e m 

- p{x)q G T{P) p{±) G T{P) (x G E) 

We assume ± acts as a cut for trace concatenation: p{l-)q = 
p{-L). With the introduction of the new terminal event (_L), 
we extend the original trace definitions. The extended trace 
definitions for sequential operators are defined in Fig. [3] 

We define a synchronization operator on events writing 
A&A' for the synchronization of events A and A'. Consider 
two processes synchronizing over events a and a', the syn- 
chronization is defined as: a&a = a, and aSza' — 1. when 
a ^ a' and do not synchronize with each other 

We define a synchronization operator over terminal events 
from the set il. Table J] enumerates the evaluation of this 
operator. We also define the synchronization operator to be 
commutative. From Table |T] it can be seen that the operator is 
well-defined for all the operands in the set ft. Case analysis 
shows that the synchronization operator is associative. 

Assuming a, a' EX and b,b' ^ X, the parallel composition 
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of traces from standard processes are defined as follows: 
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The parallel and synchronization operators are symmetric. For 
brevity we omit the symmetric cases. The parallel composition 
of standard processes is defined as follows: 

nPWxQ) = {r I re(j,\\^q) 

Ape TiP) A qe T{Q) } 

With the definition of partial behaviour (±), a pair of traces 
{p{uj),p'{uj')) of a compensable process satisfies the following 
properties: For x G S, 

- i{L),p') G TiPP) 

- {p{x)q,p') G T{PP) ^ G T{PP) 

- (P,p'{x)q') e TiPP) ^ {p,p'{±)) G T{PP) 

The trace semantics for compensable parallel processes is 
defined as follows: 

iP,P') \\x = 
{('•, r')\re (p \\x q)Ar'e (p' \\^ q') A last{r) + 1} 

U{(r, I rG (p 11,^) A Zflif(r) =±} 

T{PP llx QQ) - {rr\rre (pp \\^ qq) 

AppeTiPP) A qqeT{QQ)} 

last{t) returns the terminal symbol from a trace f. 

V. Extended Operational Semantics 

The operational semantics are defined by using labelled 
transition systems |7|. Inference rules are used to define the 
transitions that a process may perform, which for composite 
processes are given in terms of the possible transition of the 
constituents (See |4| for detail). Two types of transition rules 
are defined: normal and terminal. Normal transition is caused 
by a normal event resulting in a transition of a process term 
from one state to another. Terminal transition is caused by 
a terminal event where standard process terms terminate to 
a null process and the forward behaviour of compensable 
process terms terminate leaving the attached compensation for 
future reference. Note that the language terms are extended to 
define the null (0) process that cannot perform any action. For 
standard and compensable process terms P and PP (where 
P,PP ^ 0), the normal and terminal transitions are defined as 
followed: 



Atomic Action: 

¥o,AeET(A) = {{±>,(A/),(^,±)} 
Basic Processes: 

T{SKIP) = {(/), {!}}, T{THROW) = {(!), (_L)}, 

r(F/i7ii?) = {(?),(/>,(^>} 

Choice: T{PDQ) = T(P) U T{Q) 
Sequential Composition: 

; q = p.q, p{u)} ; q = p(u)), where ui ^ / 

T{P; Q) = {p;q\pe T(P) a q e T{Q)} 

Interrupt Handler: 

p{\) l> q = p.q. p{(jj) O q = p{lj) where o; 7^ ! 
T{P > Q) = {p > q \ p€iP) A q€ T{Q)} 
(a) Standard 



Choice: T(PPnPQ) = T{PP) U T{QQ) 
Sequential Composition: 

(p(/>,p') ; (g, g') = (P9, g' ; P') 

(p{u)),p') : (g, g') = {p{u)),p') where w / / 

T{PP ■ QQ) = {pp ■,qq\ppe T(PP) A gg G T(QQ)} 

Compensation Pair: 

g = g) and 

p{ui}^q = (p{a;), (/)), (p(a;), (h>) where w / / 

^Q) = {((?), (/»} U {p - g I p G T(P) A g G T((?)} 
Transaction BIoclc: 

lp{\},p'] = p.p'. [p(/),p']=p(/>, lp{±),p']^p{±) 
T{[PP]) = {[p,p']\{p,p')&T{PP)} 

(b) Compensable 



Fig. 3. Trace semantics of sequential processes 
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^0, 



pp pp' {a e S) 
PP^P (tJG {/,!,?}) 
(P is the compensation of PP) 

We extend the transition rules by defining the transitions by 
a ± where both standard and compensable processes terminate 
to a null process. For any process terms P and PP (where 
P, PP ^ 0), the transitions by a ± are defined as follows: 



0, 



PP 







(1) 



The transition rules defined in equation ([T]l cover the tran- 
sitions for both standard and compensable process terms by 
the ±. Hence we do not need to define additional transition 
rules by a _L. The transition rules for sequential standard and 
compensable processes are defined in Fig. |4(a)| and Fig. |4(b)| 
respectively. 

As _L is introduced during process synchronization and _L 
is a useful semantic device that helps us deriving semantic 
correspondence, we define the extended transition rules for 
parallel processes and define those transitions that introduce a 
_L. For a compensable process the transition by a ± lead to a 
null process and according to our definition no compensations 
are stored (being partial behaviour). The transition rules for 
standard and compensable parallel processes are shown in 
Fig. |5(a)| and Fig. |5(b)| respectively. 

VL Semantic Relationship 

Over the years, several techniques have been used to estab- 
lish relationship between different semantic models. Widely 
used techniques are deriving one semantics from another 
(e.g.im, [9|), extracting the behaviour from one semantic 
model and showing its relation with another (e.g.|10|) etc. 
Roscoe 1 1 1 1 outlines how to define the semantic relationship 
for CSP. In our earlier work Q, lfT2l . we have adopted 
a systematic approach showing a relationship between the 
semantic models. Traces are extracted from the transition rules 
of the operational semantics and show that the extracted traces 



correspond to the original traces for each term of the language 
and finally, prove the correspondence by structural induction 
over the process terms. The steps are depicted in Fig. |6] 
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Fig. 6. Steps for semantic correspondence 

In this paper, we extend our earlier approach to define 
and prove the relationship between the synchronous semantic 
models. Due to the introduction of partial behaviour, proving 
the correspondence for synchronous semantic modes becomes 
critical. We briefly describe the steps shown in Fig.|6]for asyn- 
chronous processes and extend those steps for synchronous 
processes. 

The operational semantics leads to lifted transition relations 
labelled by sequences of events. This is defined recursively. 
For a standard process P: 



P^Q 
P^Q 



P^Q 

3P' - P ^ P' A P' Q 



For a standard process P, the derived trace DT{P) is defined 
as follows: 



Definition 1. For a trace t, t e DT{P) = P 







For compensable processes, it is required to extract traces 
from both forward and compensation behaviour. First, we 
define the lifted forward behaviour and then add the behaviour 
of compensation by reusing the above definition. For a com- 
pensable process PP, we get the following definition: 



Atomic Action: A SKIP (A G E) 
Basic Processes: 

SKIP 0, THROW 0, YILED — + 0, YIELD A 
Sequential Composition: 

P ^ P' P A A Q ^ Q' P ^ 

(P ; 0) ^ (P' ; Q) (P ; 0) 
Choice: 



Choice: 

PP ^ PP' 



OQ ^ 00' 



PP - 



00^ 



PDQ^P' Png^O' 
Interrupt handler: 

p p' p-UoAg^g' 



Q' (P ; Q) ^ 



PP □ 00 ^ -P^" PPaQQ^ QQ' PPnQQ^P ppuQQ^Q 
Sequential Composition: 

PP PP' PP ^ P A QQ ^ Q PP -U P 

PP; QQ^ PP' -.QQ PP ; QQ ^ Q ; P PP : QQ ^ P 
(w ^ /) PP P A QQ ^ QQ' QQ^ QQ' QQ ^ 



PP: 00^(00', J') (00, -P) 

Compensation Pair: 

P ^ P' P ^ 



(QQ'.P) (QQ,P)^Q:P 
P ^ 



■ 



P > 



P' [> 



P > Q ^ Q' 
(a) Standard 



P^Q^ P'^Q p^qjL^q Ph-0-^ S^Tff 
Transaction Bloc]<:: 

PP ^ PP' PP ^ P PP P A P ^ P' 



P O Q^O'" ' ' [PP] ^ IPP'] [PP] A 1^'^'] ^ P' 

(b) Compensable 

Fig. 4. Operational Semantics for sequential processes 
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Fig. 5. Operational Semantics for synchronous processes 



Definition 2. For traces t and f', 

t') e DT{PP) = PP ^ 

= 3P' -PP ^ P' A P ^ 

Finally, the semantic relationship is defined as follows; 
Theorem 1. For a standard process term P (P ^ 0), 

DT{P) = T{P) 
For a compensable process terms PP, where PP ^ 
DT{PP) = r(pp) 
The theorem is proved by showing that 

t e DT{P) = t e r(p) 
(f, f') e DT{PP) ^ (f, f') e r(pp) 

We apply induction over process terms and define supporting 
lemmas for the structural cases. Traces are extracted for each 
term of the language and show their correspondence with the 
original trace semantics. For standard processes, P and Q, for 
all the operators, we show that, 

t e DT{P ®Q) = teT{P®Q) (2) 

For each such operator ®, the proof is performed by induction 
over traces assuming DT{P) = T{P), and DT{Q) = T{Q). For 
compensable processes, PP and QQ, we show, 

(f, t') e DT{PP ® QQ) = (f, f') e T{PP ® QQ) (3) 



Consider the sequential composition of processes P and Q. 
By using (|2]i, the semantic relationship is shown by, 

t e DT{P -Q) = teT{P;Q) 

From Def. [T] we get the following equation, 

t e DT{P -Q) = (P ; e) ^ 

We also expand the definition of trace semantics as follows: 

teT{P; Q) 

= 3p,q-t^ip ■,q) A pe T{P) A qe T{Q) 
^ 3p,q-t^{p ■,q) A pe DT{P) A qe DT{Q) 
= 3p,q-t= {p -q) A P-^0 A Q^O 

Finally, from the above definitions of traces, the following 
lemma is formulated for the sequential composition of stan- 
dard processes: 

Lemma 1. 

{P ; Q) ^ = 3p,q ■ t = (j, ; q) A P ^ A Q ^ 

The lemma is proved by applying induction over the trace 
f, where t = {to) is the base case, and f = {a)t is the inductive 
case. Similarly, the supporting lemmas for all the other terms 
of the language are defined and proved. 

For synchronous processes, we follow the same approach 
added with the newly defined ± event. With the introduction 
of partial behaviour, the definition of derived traces remains 
the same except for the compensable processes. For a pair of 



traces (f and f'), the derived traces of synchrnous compensable 
processes is defined as follows: 

pp{t/)Q_ i3RPP R AR -^0 last{t) ^ L 
\PP ^ A f' = (_L) last{t) = L 

Considering Theorem [T] for synchronous processes we 
prove the following lemma: 

Lemma 2. For standard process terms P and Q, 

DT{P\\^Q) = nPW^Q) 

For compensable process terms PP and QQ, 

DT{PP\\^QQ) = T{PP\\^QQ) 

By following the approach shown earlier we formulate the 
following lemma for standard processes: 

Lemma 3. {P \\^ Q) = 3p,q ■ t e (p \\^ q) 

Based on the scenario when synchronizing processes fail to 
synchronize and return partial behaviour, we state two separate 
lemmas. First, we assume that there is no failure during the 
synchronization of processes: 

Lemma 4. {PP \\^ QQ) R = 

3p,q,P,Q ■ t e {p \\x q) A last{t) ^ ± 

APP ^P AQQ^QAR = {P\\^Q) 

The following lemma is defined for the cases when the 
synchronizing processes fail to synchronize: 

Lemma 5. 

{PP \\x GG) ^ = 3p,q-t&{p 11^ q) A last{t) = ± 
Ape T{PP) Aqe T{QQ) 

In earlier work [13], we have shown how to mechanically 
proof the relationship between the asynchronous semantic 
models by embedding the cCSP syntax and semantic models 
into the theorem prover PVS, where the mechanical proofs 
have followed the similar proof steps as in hand proofs shown 
in lis). After extending the semantic models to synchronization, 
instead of proving the relationship by hand, we directly prove 
them by using PVS. In the following section, we describe how 
we define and prove the semantic relationship for synchronous 
models by extending the asynchronous embeddings in PVS. 

VII. Mechanizing Relationship 

An embedding is a semantic encoding of one specification 
language into another, especially, to reuse the existing tools 
of the target language. Mechanization steps of synchronous 
processes are outlined in this paper. Detail mechanization steps 
are described in lfT2l . PVS mechanization steps are sketched 
in Fig. |7] 




Fig. 7. PVS mechanization steps 



A. cCSP Syntax 

First, we define the cCSP syntax. Separate notation is used 
to define the standard and compensable processes. As PVS 
supports overloading, same notations can be used for the 
operational and the trace semantics. Fig. [8] summarizes the 
PVS definition of asynchronous subset of cCSP syntax. 
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Fig. 8. cCSP syntax in PVS 



The syntax is then extended to define the terms for 
synchronization. To denote the trace semantics, we write 
full_parallel (X) (P,Q) (P H^^- Q) for standard pro- 
cesses and cfull_parallel (X) (PP,QQ) (PP QQ) 
for compensable processes. 

B. Process Algebra Terms 

Proofs about properties of a process algebra often use 
induction on the structure of the algebra. PVS has a mech- 
anism called abstract datatype |fT4l , for which PVS generated 
an induction scheme, and it is convenient to model process 
algebra terms as an abstract datatype. cCSP has standard, 
and compensable process terms and importantly, these process 
terms are mutually dependant on each other. Mutually recur- 
sive datatype is not directly admissible by PVS. However, PVS 
has an extended support of sub-datatype lfT4l . ifTSl . where it 
is possible to define two mutually recursive datatypes as a 
single datatype. A sub-datatype collects together groups of 
constructors of a datatype that form one part of a mutually 
recursive datatype definition. By using this facility we define 
cCSP process algebra terms as follows: 



pa_terms : DATATYPE WITH SUBTYPES stand, comp 
BEGIN 

Skip : skip? : stand 

choice (P: stand, Q: stand) : choice? : stand 

seq(P:stand, Qistand) : seq? : stand 

>(P: stand, Q: stand) : inthnd? : stand 

cseq{PP : comp, QQ : comp) : c_seq? : comp 

cchoice (PP : comp, QQ : comp) : c_choice? : comp 
cpair(P: stand, Q : stand) : cpair? : comp 

blk(PP : comp) : blk? : stand 

synpara (X: set of [ normal ] ,P:stand,Q:stand) 

: synpara? : stand 
csynpara (X : setof [normal ] , PP : comp, QQ : comp) 

:csynpara? : comp 
...% other terms are omitted from this presentation 
END pa_terms 

synpara and csynpara are the extended definitions for 
the synchronous process terms. We define a single datatype 
pa_terms that consists of two sub-datatypes: 'stand' for 
standard processes, and 'comp' for compensable processes. 
We can now define processes of types 'stand' and 'comp'. 

C. Trace Semantics 

The trace semantics are defined in PVS in the same way 
as they are originally defined. Operators are first defined at 
the trace level, and then lift to the sets of traces to define the 
processes. The same approach is taken for both standard, and 
compensable processes. For synchronous processes, we first 
define the synchronization of terminal evens shown in Table U 
by extending the asynchronous definition (parallel). 

syn_parallel ( w3 : terminal ) (wl , w2 : terminal ) : bool- 
IF w3 = bottom THEN 

wl - bottom OR w2 - bottom 
ELSE parallel (w3) (wl,w2) ENDIF 

The trace semantics for synchronous processes are then de- 
fined by following the definitions shown in Sec. HV] First we 
define operators over traces then lift it over set of traces to 
define processes. The trace semantics of both standard and 
compensable processes are defined in PVS as follows: 

full_parallel (X) ( (si, wl) ) ( (s2, w2) ) ( (s3, w3) ) : RECURSIVE bool= 
CASES s3 OF 

nullinull? (si) AND null?(s2) AND syn_parallel (w3 ) (wl , w2 ) 
OR cons? (si) AND X(car(sl)) AND null?(s2) AND w3 = bottom 
OR cons?(s2) AND X(car(s2)) AND null? (si) AND w3 = bottom 
OR cons?(sl) AND X(car(sl)) AND cons?(s2) AND X(car(s2)) 
AND car (si) /= car(s2) AND w3 = bottom, 

cons (a, tail ) : 
IF X(a) THEN cons? (si) AND cons?(s2) AND 
car (si) = a AND car(s2) = a AND 
full_parallel (X) ( (cdr (si) , wl) ) ( (cdr (s2) , w2) ) ( (tail, w3) ) 
ELSE cons? (si) AND car (si) = a AND 

full_parallel (X) ( (cdr (si) ,wl) ) ( (s2,w2) ) ( (tail,w3) ) 
OR cons?(s2) AND car(s2) = a AND 

full_parallel (X) ((sl,wl)) ( (cdr (s2) ,w2) ) ( (tail,w3) ) 
ENDIF ENDCASES 
MEASURE length (s3) 
full_parallel (X) (P,Q : process) : process - 
(t : trace | EXISTS (p : (P ) , q : (Q) , si , wl , s2 , w2 , s3, w3 ) : 
p = (sl,wl) AND q = (s2,w2) AND t = (s3,w3) AND 
full_parallel (X) ( (si, wl) ) ( (s2, w2) ) ( (s3, w3) ) ) 

cfull_parallel (X) ( (p,pl) ) ( (q,ql) ) ( (r, rl) ) : bool= 
(full_parallel (X) (p) (q) (r) AND 

full_parallel (X) (pi) (ql) (rl) AND r ~2 /= bottom) 
OR full_parallel (X) (p) (q) (r) AND 

r"2 = bottom AND null?(rl~l) AND rl"2 = bottom 
cfull_parallel (X) (PP , QQ : comp_process ) : comp_process- 
{ tt : comp_trace I EXISTS (pp : (PP ) , qq : (QQ) ) : 

cfull_parallel (X) (pp) (qq) (tt) } 



We represent traces as a pair: ( s , w) , where s is the sequence 
of normal events and w is the terminal event. 



D. Operational Semantics 

The operational semantics is defined by using labelled 
transition systems of the form P P', where the event e 
makes the transition of the process term from state P to P'. 
Two types of transitions are defined: normal, and terminal. 
Both transition rules are defined by using a recursive boolean 
definition that determines whether there is a transition from 
one state to another state. The definitions are given by using 
equations derived from the transition rules. The transition rules 
of some process terms depend on the transition rules of both 
standard and compensable processes. To define these rules, 
we need to combine the transition rules for both standard and 
compensable processes. The terminal transition for the process 
terms are defines as wtrans and the normal transitions are 
defined as ntrans (See |fT2l|,fT3l for details). We then define 
the transition rules for synchronous processes by following the 
definitions given in Fig. |5(a)| and |5(b)l 

In a normal transition, processes either synchronize or 
interleave. By extending the transition rules of asynchronous 
processes we defne the transition rules for synchronous pro- 
cesses as follows: 

synpara (X, Q, R) : 
IF X(a) THEN 

EXISTS Q1,R1 : ntrans (a) (Q, Ql ) AND ntrans (a) (R, Rl ) AND 
Pal = synpara (X, Ql, Rl) 
ELSE EXISTS Ql : ntrans (a) (Q, Ql ) AND Pal = synpara (X, Ql, R) 
OR EXISTS Rl : ntrans (a) (R, Rl) AND Pal = synpara (X, Q, Rl ) 
ENDIF 
csynpara (X, QQ, RR) : 
IF X(a) THEN 

EXISTS QQl, RRl intrans (a) (QQ, QQl) AND ntrans (a) (RR, RRl ) AND 
Pal = csynpara (X, QQl, RRl) 

ELSE 

EXISTS QQl intrans (a) (QQ, QQl) AND Pal = csynpara (X, QQl , RR) 
OR EXISTS RRl : ntrans (a) (RR,RR1) AND Pal= csynpara (X, QQ , RRl ) 

The terminal transitions are defined as follows: 

synpara (X, Q, R) : 

EXISTS wl,w2: syn_wtrans (wl ) (Q, nul ) AND 
syn_wtrans (w2 ) (R,nul) AND 
syn_parallel (w) (wl,w2) AND PI = nul 
OR EXISTS (a inormal, wl, Ql) : X(a) AND ntrans (a) (Q, Ql ) AND 

syn_wtrans (wl ) (R,nul) AND w ^ bottom AND PI ^ nul 
OR EXISTS (a inormal, wl, Rl) : X(a) AND ntrans (a) (R, Rl) AND 

syn_wtrans (wl ) (Q,nul) AND w ^ bottom AND PI ^ nul 
OR EXISTS (al, a2 inormal, Ql, Rl) : 

X(al) AND X(a2) AND al /= a2 AND 
ntrans(al) (Q,Q1) AND ntrans(a2) (R,R1) AND 
w = bottom AND PI = nul, 
csynpara (X, QQ, RR) : 

EXISTS Ql,Rl,wl,w2 : syn_wtrans (wl ) (QQ, Ql ) AND 

syn_wtrans (w2) (RR,R1) AND syn_parallel (w) (wl,w2) 
AND w /= bottom AND PI = synpar a ( X, Ql , Rl ) 
OR EXISTS (a:normal,wl,QQl,Rl) : X(a) AND 

ntrans (a) (QQ, QQl) AND syn_wt rans (wl ) (RR, Rl ) AND 
w = bottom AND Pl= nul 
OR EXISTS (a inormal, wl, Ql, RRl) : X(a) AND 

syn_wtrans (wl) (QQ.Ql) AND nt rans ( a) (RR, RRl ) AND 
w - bottom and PI - nul 
OR EXISTS (al, a2 inormal, QQl, RRl) : 

X(al) AND X(a2) AND al /= a2 AND 

ntrans (al) (QQ, QQl) AND ntrans (a2) (RR, RRl) AND 

w = bottom AND PI = nul 



E. Semantic Relationship 

By following Def. [T] the derived traces for standard pro- 
cesses are defined as 'trans_trace'. It defines the tran- 
sition of a process by a trace consisting of a transition by a 
sequence of normal events followed by transition by a terminal 
event. Consider a trace t, where t = t' {uj). 

We then define Lemma [3] by using the definition of both 
derived traces and trace rules as follows: 

synpara_lemma : LEMMA 

trans_trace ( (s, w) ) (synpara (X,P,Q),nul) ^ 
EXISTS (sl,wl, s2,w2) : 
full_parallel (X) ( (sl,wl) ) ( (s2,w2) ) ( (s,w) ) AND 
trans_trace ( (si, wl) ) (P, nul) AND 
trans_trace ( (s2, w2 ) ) (Q,nul) 

For compensable processes, we only need to prove that the 
lifted forward behaviour corresponds to the original traces and 
reuse the proofs of standard processes for compensations. The 
definition of derived traces shown in Def. |2] consists of the 
derived trace of both forward and compensation behaviour. To 
prove our lemmas (Lemma |4] and |5]l we only need to define 
the forward behaviour and it is defined as ftrans_trace 
{PP P). 

First, we define the lemma considering the processes will 
not fail to synchronize and hence, there is no bottom event in 
the derived traces: 

csynpara_leinma : LEMMA 
ftrans_trace ( (s, w) ) (csynpara (X,PP,QQ),R) = 
EXISTS (sl,wl, s2,w2,P,Q) : w /= bottom AND 
full_parallel (X) ( (sl,wl) ) ( (s2,w2) ) ( (s,w) ) AND 
ftrans_trace ( (sl,wl) ) (PP,P) AND 
ftrans_trace ( (s2,w2) ) (QQ,Q) AND 
R = synpara (X, P, Q) 

Next, we define the lemma where compensable processes 
fail to synchronize during their synchronization. The main 
difference is that the derived trace now ends with a _L 
representing the partial behaviour, and compensations are not 
accumulated after termination. 

lema_bot : LEMMA 
ftrans_trace ( (s, w) ) (csynpara (X, PP, QQ) , nul) - 
EXISTS (si, wl, s2, w2, P, Q) : w = bottom AND 
full_parallel (X) ( (sl,wl) ) ( (s2,w2) ) ( (s,w) ) AND 
ftrans_trace ( (sl,wl) ) (PP,P) AND 
ftrans_trace ( (s2,w2) ) (QQ,Q) 

All these lemmas are proved interactively by applying 
induction over traces ( (s, w) ). PVS has a strong support for 
induction scheme which facilities proving such lemmas. 

VIII. Related Work 

One of the contributions most related to our work is by 
Basten and Hooman in llT6l . where the focus is on the use of 
a general purpose proof checker, e.g., tool support for the proof 
of theoretical properties of an ACP-style process algebra 1 17| . 
The idea is to apply equational reasoning. Mechanical support 
for both verification of concrete applications and proving 
theoretical properties of the process algebra are investigated. 

PVS has been used in IfTSl . |fT9l to mechanize the trace 
semantics of CSP Their goal is to verify an authentication 



protocol specified in CSP to overcome errors in the manual 
verification as well as improve the scalability of the approach. 
The mechanization is based on a semantic embedding of CSP. 
The traces are defined by using a list of events and processes 
are defined by prefix-closed sets of traces. The important 
distinction with the present work is that cCSP traces are non- 
empty and completed and processes are defined accordingly. 

Camilleri (TH) showed how to mechanize a subset of the 
CSP operators by using the theorem prover HOL |21J. The 
trace model for a subset of the CSP operators was mechanized 
in HOL. Initially, events, alphabets and traces are defined and 
then CSP operators are defined in terms of their trace semantic 
models. And later laws related to the operators are proved from 
the sematic definition. In contrast to our approach no syntax is 
defined at this stage and operators are defined directly in HOL. 
Syntax is defined later and the semantics of the language is 
shown based on the already defined semantics. A similar work 
for the TT-calculus can be found in [22]. One of our main goals 
is to explore the ways of incorporating process algebra in 
a general purpose theorem prover. In that respect, a closely 
related research on the tool support for a process algebra 
shown in |23|, where a CSP-like algebra, called DI-Algebra 
1241 is formalized in HOL. The algebra is used to reason about 
synchronous circuits. Process syntax and algebraic laws are 
defined, but no semantics are defined. 

IX. Concluding Remarks 

We have extended cCSP language to define synchronization. 
We introduced the notion of partial behaviour which allows to 
model the behaviour of synchronous processes that fail to syn- 
chronize. The formal foundation of the language is strengthen 
by establishing a relationship between the semantic models by 
showing that traces extracted from the operational semantics 
correspond to the original trace semantics. Demonstrating the 
relationship between these two semantics of the ensures the 
consistency of the semantic description of the language. 

We have started mechanizing the semantic models and 
their relationship in order to investigate the feasibility of the 
mechanization process. We have achieved our goal by success- 
fully proving the semantic relationship for the synchronous 
processes. Defining process algebras in PVS is not new a 
new idea. The novelty of this experiment is that, we have not 
only defined the cCSP process algebra, and the two semantic 
models, but we have also mechanically proved a relationship 
between these semantic models. 

In the hand proofs, it is easy to be imprecise about recursion, 
and typing of the rules. The mechanization forces to be strict 
about datatypes, and recursion. This helped us to define the 
theorems, and the lemmas in a systematic way, and to prove all 
the lemmas by following a similar fashion. The mechanization 
also helped us identifying some lemmas which were not 
explored earlier. The mechanization of the semantic models 
and their relationships also deepen our understanding of the 
semantic models for both standard and compensable processes. 

Having a firm grasp of the semantic models, we are now 
in a better position to extend the language by defining some 



important operators for the process algebra, such as event 
hiding, recursion, distinction between external and internal 
choice in combination with compensations. In standard CSP, 
the distinction between the two choice operators is achieved 
by using the Failure/Divergences model which can serve as 
the basis for our work on cCSP. Our future plan also includes 
developing a tool support for cCSP which will allow model 
check as well as animate the specifications. 
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